Dnsscan is a tool for finger printing open recursive resolvers. It
runs in conjuction with a small server that knows how to reply to
queries forwarded from probed resolvers.
For example, assume that you have delegated osd.example.org:

osd.example.org. 900 IN NS ns1.example.org.
ns1.example.org. 900 IN A 10.0.0.1

On 10.0.0.1, you would run:

# ./dnsresponder -Q .osd.example.org

On the client that initiates the DNS probes, you would run

$ ./dnsscan -Q .osd.example.org 10.0.0.0/8

Progress of the dnsscan tool can be monitored via a web browser on
port 8080. If the tool crashes or gets terminated, it can be
restarted from the checkpoint file.

Both of the tools log their output into files, the output can be
inspected with the dnsreader tool.

If this does not mean anything to you, you should probably not use
this tool. This tool has been released to support repeatable
research, some of the results obtained with tools such as these have
been published at NDSS'08.

Notice

Use of dnsscan across a large network block requires coordination
with your network provider. In all likelihood, you will receive
(and must manage) abuse complaints due to the volume of DNS queries.
You should consult RFC 1262 for suggestions on how to conduct
such Internet-wide studies.

If you are unable to run dnsscan because of policy limitations, and
are a researcher working to improve the health of the Internet,
you can obtain dnsscan output from OARC, https://oarc.isc.org/